First Flight #12: Kitty Connect

Beginner FriendlyFoundryNFTGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

Lack of Parameter Validation in `KittyConnnect::mintCatToNewOwner` Function

yaioxy

Vulnerability Details

The KittyConnnect::mintCatToNewOwner function lacks proper parameter validation, which can lead to vulnerabilities and inconsistencies in the system. Parameters such as catOwner, catIpfsHash, catName, breed, and dob should be thoroughly validated to ensure data integrity and prevent potential exploits.

Impact

Data Integrity Risk: Without proper validation, invalid or malicious inputs may be accepted, leading to data integrity issues.
Exploitation Potential: Malicious actors could exploit the lack of validation to inject invalid data or manipulate the system.

POC

A malicious user could provide invalid or empty values for catIpfsHash, catName, breed, or dob, compromising the integrity of the NFT metadata.
Providing an invalid catOwner address (e.g., address 0) could lead to unexpected behavior or manipulation of ownership.

Tools Used

Manual Review

Recommendations

Validate catOwner parameter to ensure it is not address 0 and is a valid Ethereum address.
Require catIpfsHash, catName, breed, and dob parameters to be non-empty and valid.
Implement thorough input validation for all parameters to prevent data integrity risks.

function mintCatToNewOwner(

address catOwner,

string memory catIpfsHash,

string memory catName,

string memory breed,

uint256 dob

) external onlyShopPartner {

+ require(catOwner != address(0), "Invalid cat owner address");

+ require(bytes(catIpfsHash).length > 0, "IPFS hash must not be empty");

+ require(bytes(catName).length > 0, "Cat name must not be empty");

+ require(bytes(breed).length > 0, "Breed must not be empty");

+ require(dob <= block.timestamp, "Date of birth must be in the past");

+ require(dob > 0, "Invalid DOB");

// Rest of the function...

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

over 1 year ago

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Inputed cat dob can be in the future, making a function revert due to underflow.

Rewards breakdown

nSLOC

235

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.